NO.159 Web Application Security
March 18 - 21, 2024 (Check-in: March 17, 2024 )
- Limin Jia
- Carnegie Mellon University, USA
- Tamara Rezk
- INRIA, France
- Sukyoung Ryu
- Korea Advanced Institute of Science and Technology, Korea
Today’s web applications are a mix of existing online libraries and data that are combined to write applications in a rapid and inexpensive manner. Moreover, the last decades have witnessed an accelerating trend to integrate not only documents and code but also the so called Web of Things that uses web applications to connect homes, cars, appliances, and other physical devices. However, this same ﬂexibility together with the mix of heterogeneous technologies make the task of programming secure web applications and protecting users against exploits very complex. As web applications are becoming essential in people’s life, web and browser vulnerabilities as well as privacy issues associated with web technologies such as tracking and ﬁngerprinting have become a major threat that people face today.
Academic web security research has started in 2007 and since then there has been three dedicated web application security meetings in Dagstuhl (Europe) in 2009, 2012, and 2018 to gather and encourage discussions among researchers and industry leaders in the area. This meeting will follow the series and be held for the ﬁrst time in Asia. The aim of this meeting is to provide a forum to
- Discuss recent developments and issues in security and privacy of web technology , as for example the lack of scalable program analysis tools to identify vulnerabilities including XSS, privacy leaks in web applications. In particular, server-side of the logic in web applications has not been included in previous analyses, which are the consequences of this?
- Discuss the eﬀectiveness of security mechanisms in face of the current overall vulnerability landscape
In particular, we plan to address the following questions: what do formal methods bring to web security and privacy in practice? Which security analyses are appropriate in face of the heterogeneity of technologies required in modern web applications? The heterogeneity and new security threats of Web of Things technology makes analysis or enforcing security policies even more diﬃcult: which are the new security and privacy concerns in the Web of Things? How to bring state of the art to practice? What are the actual obstacles that prevent the technology from being applied? The steep learning curve (usability of the tool), and infrastructure depen-dency makes it diﬃcult to keep a tool up to date with the newest infrastructure (e.g., tools that require heavy modiﬁcation of software infrastructure such as Chrome simply cannot keep up with Google’s frequent updates to Chrome). One research direction would be to develop techniques that are infrastructure independent.
To promote discussions, we plan to organise breakout sessions with time to discuss diﬀerent topics. We will encourage tutorials, brainstorming and working-group sessions rather than mere conference-like presentations.
 Web Application Security. Dan Boneh, Ulfar Erlingsson, Martin johns, and Benjamin Livshits. Dagstuhl 2009. https://www.dagstuhl.de/en/program/calendar/semhp/?semnr=09141
 Web Application Security. Lieven Desmet, Martin Johns, Benjamin Livshits, and Andrei Sabelfeld. Dagstuhl 2012. https://www.dagstuhl.de/en/program/calendar/semhp/?semnr=12401
 Web Application Security. Martin Johns, Nick Nikiforakis, Melanie Volkamer, and john Wilander. Dagstuhl 2018. https://www.dagstuhl.de/en/program/calendar/semhp/?semnr=183212